- strongswan would enumerate all the available transform in the first IKE_SA_INIT. But it might be too much and there are some that are not recognizable by Cisco SeGW, and SeGW will just drop it and no response.....
ike=aes128-sha1-prfsha1-
Cisco SeGW reports:modp1024,aes256-sha1-prfsha1- modp1024,3des-md5-prfmd5- modp1024,3des-sha1-prfsha1- modp1024,des-sha1-prfsha1- modp1
esp=aes128-sha1-modp1024,3des-md5
Too Many Transforms: 110
And dump the packet at Cisco show something like:
(........a lot of transforms.........)
Transform Header #39Last (U08): Yes/0 (0x00)Reserved (U08): 0Transform Length (U16): 8 (0x8) bytesTransform Type (U08): DHGROUP/4 (0x04)Reserved (U08): 0Transform ID (U16): UNKNOWN/30 (0x001E)
ike=aes128-sha1-prfsha1-modp1024!
esp=aes128-sha1-modp1024!
- By default the mobike is enabled in strongswan, while Cisco SeGW doesn't support it. The tunnel is created without any problem. However, all packets encrypted with ESP is received by SeGW, but "somehow" not recognized. For example, encrypted ping request is received by SeGW, but not decrypted and is dropped.
And on strongswan PC, all encrypted ping from SeGW is not received.
FIX: Disable mobike will fix this issue.mobike=no
2014年12月10日 星期三
Strongswan and Cisco ASR5000 SeGW
訂閱:
張貼留言 (Atom)
沒有留言:
張貼留言